A macOS menu bar app for real-time network traffic monitoring with process identification, geo-mapping, and threat intelligence.
- Live Traffic Monitoring – View network statistics directly from the menu bar
- Process Identification – See which app is responsible for each connection
- Geo Map – Embedded Leaflet map showing public IP locations
- Protocol Support – TCP, UDP, ICMP over IPv4 and IPv6
- Threat Intelligence – Integration with VirusTotal, AbuseIPDB, GreyNoise, Shodan
- Anomaly Detection – ML-based heuristics to surface suspicious traffic
- Promotion Agent – Agentic decision-making to promote, label, or flag connections based on trust signals and behavioral patterns
- macOS 10.13+
- Xcode Command Line Tools (
xcode-select --install) - libpcap (
brew install libpcap)
With Apple Developer Account:
# Set your signing identity
export CODESIGN_IDENTITY="Apple Development: Your Name (TEAMID)"
# Build and install
make
make install
make runWithout Apple Developer Account:
# Build
make
make helper-dev
# Install helper (one time)
sudo make install-helper-dev
# Run
make run-dev| Target | Description |
|---|---|
make |
Build app and helper |
make install |
Install to ~/Applications |
make run |
Run installed app |
make dmg |
Create distributable DMG |
make clean |
Remove build artifacts |
| Target | Description |
|---|---|
make helper-dev |
Build helper without team ID validation |
sudo make install-helper-dev |
Install development helper |
sudo make uninstall-helper-dev |
Remove development helper |
make run-dev |
Run from build directory |
The app uses a privileged helper for packet capture. In production mode, the helper validates that the connecting app has a matching Apple Team ID.
Options:
- Apple Developer Account ($99/year) – Required for distribution and SMJobBless
- Development Mode – Bypasses team ID check; use
make helper-devtargets
To configure signing, either:
-
Pass inline:
CODESIGN_IDENTITY="..." make -
Or create
SniffNetBar/Makefile.local:CODESIGN_IDENTITY = Apple Development: Your Name (TEAMID)
Store API keys in the Keychain:
./build/set_apikey virustotal YOUR_API_KEY
./build/set_apikey abuseipdb YOUR_API_KEYDefault: ipinfo.io. Configure via UserDefaults:
defaults write com.sniffnetbar.app MapProvider "ip-api.com"Custom provider:
defaults write com.sniffnetbar.app MapProvider "custom"
defaults write com.sniffnetbar.app MapProviderURLTemplate "https://example.com/geo/%@"SniffNetBar.app
├── Main App (AppCoordinator, MenuBuilder, UI)
├── Privileged Helper (packet capture, process lookup)
├── Modeling XPC Service (behavior analysis)
└── SQLite stores (events, trust, anomalies)
The privileged helper runs as a LaunchDaemon and communicates via XPC. It handles:
- Packet capture via libpcap
- Socket-to-PID mapping
- Network interface enumeration
- Menubar UI only (no windowed interface)
- IPv6 extension headers not fully parsed
- Requires privileged helper for packet capture
MIT OR Apache-2.0 (inspired by Sniffnet)